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Assistant Commissioner for Patents 
Washington, D.C. 20231 

Sir: 

Prior to examination on the merits, please amend the above- 
identified patent application as follows: 

IN THF SPFriFirATinM- 

Please amend the specification as follows: 
Page 6, 



line 10, change "difference mask" to -output mask--. 



Page 15, 

line 9, change "part 34" to --part 347~. 

IN THF ri AIMS 

Kindly cancel existing claims 1-13 and add the following new claims: 
-14. A cryptographic device which encrypts input data by 
sequentially processing it by a plurality of round processing which 
nonlinearly transforms it using extended key, comprising: 

an initial splitting part which splits said input data to two pieces 
of block data; 

a key storage part for storing extended key; 

a plurality of cascade-connected round processing parts which 
are supplied with said two pieces of block data and sequentially process 
them using said extended key; and 

a final combining part which combines two pieces of block data 
output from the last round of said plurality of cascade-connected round 
processing parts into a single piece of data and outputs it; 
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wherein each of said plurality of round processing part 

comprises: 

a non-linear function part which transforms one of two pieces of 
block data input thereto from the preceding stage, depending on extended 
key stored in said key storage part; 

a linear operation part which linearly operates the output data 
from said nonlinear function part and the other of said two pieces of block 
data; and 

a swapping part which swaps the output data from said linear 
operation part and the input block data to said nonlinear function part and 
provides the two pieces of swapped data as two pieces of input block data 
to said round processing part of the next round; and 

wherein said nonlinear function part comprises: 

a key-dependent linear transformation part which linearly 
transforms input data based on extended key stored in said key storage 
part to thereby generate transformed data; 

a splitting part which split the transformed data from said key- 
dependent linear transformation part to a plurality of bit strings; 
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a plurality of first nonlinear transformation parts which 
nonlinearly transform said plurality of bit strings, respectively, and output 
transformed data; 

a first linear transformation part which linearly transforms said 
transformed data from said plurality of first nonlinear transformation parts 
in association with each other and outputs a plurality of pieces of 
uniformed data to a plurality of routes, respectively; 

a second nonlinear transformation part provided in at least one 
of said plurality of routes, for nonlinearly transforming said transformation 
parts, and for outputting the transformed data as data of that route; and 

a combining part which combines data from said plurality of 
routes into output data of said nonlinear function part. 

1 5. The cryptographic device of claim 14, wherein said first linear 
transformation part comprises a key-dependent linear operation part which 
linearly transforms said plurality of pieces of uniformed data based on 
extended key stored in said key storage part and outputs the plurality of 
transformed data as data of said plurality of routes. 



1 6. The cryptographic device of claim 1 5, further comprising a 
second linear transformation part which linearly transforms the output data 
from said combining part to provide the output data of said nonlinear 
function part. 

1 7. The cryptographic device of claim 1 6, wherein said second 
linear transformation part is a linear transformation part which performs a 
linear transformation base don extended key stored in said key storage 
part. 

1 8. The cryptographic device of claim 1 7, wherein said first linear 
transformation part comprises at least one exclusive OR circuit provided in 
each of said plurality of routes, for outputting said uniformed data to said 
each route by an exclusive-OR operation of data of said each route and 
data of other routes. 



1 9. The cryptographic device of claim 1 4, further comprising a 



second linear transformation part whicfi linearly transforms the output data 
of said combining part to provide the transformed data as output data of 
said nonlinear function part. 

20. The cryptographic device of claim 1 9, wherein said second 
linear transformation part is a linear transformation part which performs a 
linear transformation based on extended key stored in said key storage 
part. 

21 . The cryptographic device of claim 1 9, wherein said first linear 
transformation part comprises at least one exclusive OR circuit provided in 
each of said plurality of routes, for outputting said uniformed data to said 
each route by an exclusive-OR operation of data of said each route and 
data of other routes. 

22. The cryptographic device of any one of claims 14 through 21 , 
further comprising an initial linear transformation part which linearly 
transforms said input data and supplies it to said initial splitting part. 
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23. The cryptographic device of claim 22, wherein said initial linear 
transformation part is a transformation part which performs a linear 
transformation based on extended key stored in said key storage part. 

24. The cryptographic device of claim 23, further comprising a final 
linear transformation part which linearly transforms the output data of said 
final combining part to provide it as the output of said cryptographic device. 

25. The cryptographic device of claim 24, wherein said final linear 
transformation part is a transformation part which performs a linear 
transformation based on extended key stored in said key storage part. 

26. The cryptographic device of claim 22, further comprising a final 
linear transformation part which linearly transforms the output data of said 
final combining part to provide it as the output of said cryptographic device. 

27. The cryptographic device of claim 26, wherein said final linear 
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transformation part is a transformation part wliich performs a linear 
transformation based on extended key stored in said key storage part. 

28. The cryptographic device of claim 26, wherein said plurality of 
routes are first, second, third and fourth routes arranged in this order. 

29. The cryptographic device of claim 28, wherein said second 
nonlinear transformation part is provided in each of said four routes. 

30. The cryptographic device of claim 28, wherein said second 
nonlinear transformation part is provided in each of said first and fourth 
routes. 

31 . The cryptographic device of claim 30, wherein said first linear 
transformation part comprises: 

a first exclusive OR circuit provided in said second route, for 
canrying out the exclusive-OR between data of said first route and data of 
said second route; 
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a second exclusive-OR circuit provided in said third route, for 
carrying out the exclusive OR between data of said fourth route and data of 
said third route; 

a third exclusive-OR circuit provided in said third route, for 
carrying out the exclusive OR between the output of said second exclusive- 
OR circuit and the output of said first exclusive-OR circuit; 

a fourth exclusive-OR circuit provided in said second route, for 
carrying out the exclusive OR between the output of said first exclusive-OR 
circuit and the output of said third exclusive-OR circuit; 

a fifth exclusive-OR circuit provided in said first route, for 
carrying out the exclusive OR between the output of said first exclusive-OR 
circuit and the output of said fourth exclusive-OR circuit; 

a sixth exclusive-OR circuit provided in said fourth route, for 
carrying out the exclusive OR between the data of said fourth route and the 
output of said third exclusive-OR circuit. 



32. The cryptographic device of claim 23, wherein said plurality of 
routes are first, second, third and fourth routes arranged in this order. 



33. The cryptographic device of ciaim 32, wherein said second 
nonlinear transformation part is provided in each of said four routes. 

34. The cryptographic device of claim 32, wherein said second 
nonlinear transformation part is provided in each of said first and fourth 
routes. 

35. The cryptographic device of claim 34, wherein said first linear 
transformation part comprises: 

a first exclusive OR circuit provided in said second route, for 
carrying out the exclusive-OR between data of said first route and data of 
said second route; 

a second exclusive-OR circuit provided in said third route, for 
carrying out the exclusive OR between data of said fourth route and data of 
said third route; 

a third exclusive-OR circuit provided in said third route, for 
carrying out the exclusive OR between the output of said second exclusive- 
OR circuit and the output of said first exclusive-OR circuit; 
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a fourth exclusive-OR circuit provided in said second route, for 
carrying out the exclusive OR between the output of said first exclusive-OR 
circuit and the output of said third exclusive-OR circuit; 

a fifth exclusive-OR circuit provided in said first route, for 
carrying out the exclusive OR between the data of said first route and the 
output of said fourth exclusive-OR circuit; and 

a sixth exclusive-OR circuit provided in said fourth route, for 
carrying out the exclusive OR between the data of said fourth route and the 
output of said third exclusive-OR circuit. 

36. The cryptographic device of claims 25, wherein said plurality of 
routes are first, second, third and fourth routes arranged in this order. 

37. The cryptographic device of claim 33, wherein said second 
nonlinear transformation part is provided in each of said four routes. 

38. The cryptographic device of claim 33, wherein said second 
nonlinear transformation part is provided in each of said first and fourth 
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routes. 



39. The cryptographic device of claim 35, wherein said first linear 
transformation part comprises; 

a first exclusive OR circuit provided in said second route, for 
carrying out the exclusive-OR between data of said first route and data of 
said second route; 

a second exclusive-OR circuit provided in said third route, for 
carrying out the exclusive OR between data of said fourth route and data of 
said third route; 

a third exclusive-OR circuit provided in said third route, for 
carrying out the exclusive OR between the output of said second exclusive- 
OR circuit and the output of said first exclusive-OR circuit; 

a fourth exclusive-OR circuit provided in said second route, for 
carrying out the exclusive OR between the output of said first exclusive-OR 
circuit and the output of said third exclusive-OR circuit; 

a fifth exclusive-OR circuit provided in said first route, for 
carrying out the exclusive OR between the data of said first route and the 
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output of said fourth exclusive-OR circuit; and 

a sixtii exclusive-OR circuit provided in said fourtli route, for 
carrying out tine exclusive OR between the data of said fourth route and the 
output of said third exclusive-OR circuit. 

40. The cryptographic device of any one of claims 14 through 21 , 
further comprising a final linear transformation part which linearly 
transforms the output data of said final combining part to provide it as the 
output of said cryptographic device. 

41 . The cryptographic device of claim 40, wherein said final linear 
transformation part is a transformation part which performs a linear 
transformation based on extended key stored in said key storage part. 

42. The cryptographic device of claim 40, wherein said plurality of 
routes are first, second, third and fourth routes arranged in this order. 

43. The cryptographic device of claim 42, wherein said second 
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nonlinear transformation part is provided in eacli of said four routes. 

44. The cryptograpinic device of claim 42, wherein said second 
nonlinear transformation part is provided in each of said first and fourth 
routes. 

45. The cryptographic device of claim 44, wherein said first linear 
transformation part comprises: 

a first exclusive OR circuit provided in said second route, for 
carrying out the exclusive-OR between data of said first route and data of 
said second route; 

a second exclusive-OR circuit provided in said third route, for 
carrying out the exclusive OR between data of said fourth route and data of 
said third route; 

a third exclusive-OR circuit provided in said third route, for 
carrying out the exclusive OR between the output of said second exclusive- 
OR circuit and the output of said first exclusive-OR circuit; 

a fourth exclusive-OR circuit provided in said second route, for 
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carrying out the exclusive OR between the output of said first exclusive-OR 
circuit and the output of said third exclusive-OR circuit; 

a fifth exclusive-OR circuit provided in said first route, for 
carrying out the exclusive OR between the data of said first route and the 
output of said fourth exclusive-OR circuit; and 

a sixth exclusive-OR circuit provided in said fourth route, for 
carrying out the exclusive OR between the data of said fourth route and the 
output of said third exclusive-OR circuit. 

46. The cryptographic device of any one of claims 14 through 21, 
wherein said plurality of routes are first, second, third and fourth routes 
arranged in this order. 

47. The cryptographic device of claim 46, wherein said second 
nonlinear transformation part is provided in each of said four routes. 

48. The cryptographic device of claim 46, wherein said second 
nonlinear transformation part is provided in each of said first and fourth 
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routes. 



49. The cryptographic device of claim 48, wherein said first linear 
transformation part comprises: 

a first exclusive Or circuit provided in said second route, for 
carrying out the exclusive OR between data of said fourth route and data of 
said third route; 

a third exclusive-OR circuit provided in said third route, for 
carrying out the exclusive OR between the output of said second exclusive- 
OR circuit and the output of said first exclusive-OR circuit; 

a fourth circuit-OR circuit provided in said second route, for 
carrying out the exclusive OR between the output of said first exclusive-OR 
circuit and the output of said third exclusive-OR circuit; 

a fifth exclusive-OR circuit provided in said first route, for 
carrying out the exclusive OR between the data of said first route and the 
output of said fourth exclusive-OR circuit; and 

a sixth exclusive-OR circuit provided in said fourth route, for 
carrying out the exclusive OR between the data of said fourth route and the 
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output of said third exclusive-OR circuit.- 



REMARKS 



Claims 14-49 are pending in tlie application. 

Tlie specification lias been amended to correct minor typograpliic 
errors noted wlien tine specification was translated into English, and the 
claims have been revised to more clearly describe the invention. No new 
matter has been added. 

Examination on the merits of the above patent application is 
respectfully requested. 



Respectfully submitted 




George R. Pettit, Reg. No. 27,369 
Pollock, Vande Sande & Amernick, R.L.L.P. 
1990 M Street, N.W., Suite 800 
Washington, D.C. 20036-3425 
Telephone: 202-331-7111 



Date: December 27, 1999 
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CRYPTOGRAPHIC DEVICE 

TECHNICAL FIELD 

The present invention relates to an encryption device for 
concealing data in data communication or storage and, more 
5 particularly, to an encryption device of a secret-key algorithm which 
encrypts or decrypts data in blocks using a secret key. 

A typical secret-key algorithm, which is used in an encryption 
device to conceal data, is the DES (Data Encryption Standard) that is a 
FlPS-approved algorithm for encryption (PIPS 46-3). 

10 Fig. 1 illustrates the functional configuration of the DES. The DES 

uses a 56-bit secret key to encrypt or decrypt data in blocks of 64 
bits. In Fig. 1 the encryption process begins with the initial 
permutation of 64 bits of a plaintext P in an initial perminutation 
part 11 which is followed by splitting the transformed data into two 

15 pieces of 3 2 -bit block data Lq and Rq. The block data Rq is input into 
a function operation part (which is commonly called a round 
function) 12 shown as an i-th roxmd processing part 14i (i=0, 1, 
15) in Fig. 2, wherein it is transformed to f(Ro, ko) using a 48-bit 
extended key ko- This transformed data (Rq, ko) and the block data 

20 Lq are exclusive ORed in an XOR circuit 13, and its output and the 
block data Rq are interchanged to obtain the next block data Li, Ri. 
That is, 

Ri=Lo©F(Ro, ko) 

Li=Ro (1) 
25 A 0-th rotmd processing part 14o is comprises an operation 

part 12, an exclusive OR circuit 13 and a data swapping part, by 
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which two pieces of input data Lq and Rq are subjected to round 
processing to provide output block data Li and Ri, and similar round 
processing parts 14i to 14i5 are provided in cascade. The processing 
by the i-th roxmd processing part 14i will hereinafter be referred to 
5 as i-th processing, where i=0, 15. That is, each round processing 
part 14} (0^i<15) performs the following processing 
Ri+i=Lief(Ri,ki) 

Li+i=Ri (2) 
and finally combines two pieces of data Rig and Lig into 64-bit data, 

10 which is transformed in a final permutation part 15 to provide a 64- 
bit ciphertext. The decryption processing can be performed 
following the same procedure as that for the encryption processing 
except inputting extended keys ko, kj, ki4, kis into a function f in 
the order kjs, ki4, k^, ko which is reverse to that in the encryption 

1 5 processing. In such an instance, the outputs L^e and Rie from the 
final round processing part 14i5 are further swapped as depicted, 
and in the decryption processing the plaintext is provided intact at 
the output of the final permutation part 15 by inputting the 
ciphertext into the initial permutation part 11 to subject it to the 

20 processing of Fig. 1. Of course, exactiy the same result could be 
obtained even by providing data to the final permutation part 15 
without swapping the outputs of the final round processing part 
14i5. Incidentally, the extended keys ko, ki, ki4, kis are 
generated by extending a 56-bit secret key to 16 48 -bit extended 

25 keys with a total of 768 bits in an extended key generation part 16 
separate of the encryption processing. 

The processing in the function operation part 12 is performed as 
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shown in Fig. 2. To begin with, the 3 2 -bit block data Ri is 
transformed to 48-bit data E(Ri) in an extended permutation part 
17. This output data and the extended key ki are exclusive ORed in 
an XOR circuit 18, whose output is transformed to 48-bit data 
5 E(Ri)eki, which is then spUt to eight pieces of 6-bit sub-block data. 
The eight pieces of sub-block data are input into different S-boxes Si 
to Sg to derive therefrom a 4-bit output, respectively. Incidentally, 
the S-box Sj {j=l, 8) is a nonlinear transformation table that 
transforms the 6-bit input data to the 4-bit output data, and this is a 

10 part that assumes a key role essentially in providing security for the 
DES. The eight pieces of output data from the S-boxes S^ to Sg are 
concatenated again to 32-bit data, which is applied to a transpose 
part 19 to obtain an output f(Ri, kj) of the function f which is 
exclusive ORed with Li as depicted in Fig. 8. 

15 Next, a description will be given of cryptanalysis techniques. A 

wide variety of cryptanalysis techniques have been proposed for the 
DES and other traditional secret-key algorithms; extremely effective 
cryptanalysis techniques among them are a differential 
cryptanalysis technique proposed by E. Biham and A. Shamir 

20 ("Differential Crj/ptanalysis of DES-like Cryptosystems," Proceedings 
of CRYFrO'90) and a linear cryptanalysis technique proposed by 
Matsui (Linear Cryptanalysis (I) of DES Cryptosystem," The 1993 
Sj/mposium on Cryptography and Information Security 1993, 
SCIS93-3C). 

25 With the difference between two pieces of data X and X* 

defined as 

AX = xex* (3) 
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the differential cryptanalysis aims to obtain the extended key kis in 
the final round by applying to the following equations two sets of 
plaintext-ciphertext pairs that an attacker possesses. Let Lj and Ri 
represent two pieces of block data for a first plaintext input into 
5 each round processing part 14i of Fig. 1 and L*i and R*i represent 
two pieces of block data for a second plaintext input into each round 
processing part 14i. And let it be assumed that ciphertexts are 
provided in response to the iaput of these first and second 
plaintexts. Under the definition of Eq. (3), it holds that 
10 ALi=Li©L*i 

ARi = Ri®R*i (4) 
In Fig. 1, since L15 = R14, L*i5 = R*i4, Lie = R15 and L*ie = R*i5, the 
following equations hold 

Ri6=Li5©f(Ri5, kis) 

15 R*i6 = L*i5©f(R*i5, kis) (5) 

and the exclusive OR of both sides of these two equations is obtained 

as foUows: 

AR16 = ALi5®f(Li6, kis) ®f{Li6 ©AL16, kis) (6) 
The exclusive ORing of its both sides with AR14 = AL15 gives the 
20 following equation: 

f(Li6, kis) ©f((Ll6 ®ALi6), kis) = ARi6©ARi4 (7) 

At this time, Lie, ^^le and ARie are data available from the 
ciphertext, and hence they are known information. Hence, if the 
attacker can correctiy obtain AR14, then only kis ^ the above 
25 equation becomes an unknown constant; the attacker can find a 
correct kis without fail by making an exhaustive search for kis 
. through utilization of the known sets of plaintext-ciphertext pairs. 
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On the other hand, AR14 is difficult ia general to obtain since this 
value is an intermediate difference value. Then, assiime that the 
each round processing part 14^ are approximated by the following 
equations with a probability Pi in each of the 0-th to the last round 
5 but one: 

ARi+i =ALi®A{f(ARi)} 

ALi+i=ARi+i (8) 
The point is that when certain ARj is input, A{f(ARi)} can be predicted 
with the probability Pi regardless of the value of the extended key 

10 kj. The reason for which such approximations can be made is that 
A^f(ARi)} is affected only by the S-box part which is a nonlinear 
transformation table, and that according to the input differences 
thereto, the S-boxes provide an extremely uneven distribution of 
difference outputs. For example, in the S-box SI, an input difference 

15 "110100" is transformed to an output difference "0010" with a 
probability of 1/4. Then, the approximation for each round is 
obtained by assuming that each S-box is capable of predicting the 
relationship between the input difference and the output difference 
with a probability of psi and by combining them. Furthermore, the 

20 concatenation of such approximations in the respective rounds 

makes it possible to obtain AR14 from aLq and ARq (aLq and aRq are 
data derivable from the plaintext, and hence they are known.) with 
a probability of P=npi. hicidentally, the higher the probability P, the 
easier the crj/ptanalysis. After the extended key kis is thus 

25 obtained, a similar calculation is made of the extended key ki4 

regarding it as a 15-round DES that is one round fewer than in the 
above; such operations are repeated to obtain the extended keys one 



by one to Icq. 

Biham et al, say that the DES could be broken by this 

cryptanalysis if 2'*'' sets of chosen plaintext-ciphertext pairs are 
available. 

The linear cryptanalysis aims to obtain extended keys by 
constructing the following linear approximate expression and using 
the maximtim likelihood method with sets of known plaintext- 
ciphertext pairs to the attacker. 

(Lo, Ro)T (Lo, Ro)®(Li6, Ri6)T(Li6, Rie) 

= (ko, ki, ki5)T(ko, ki, kis) (9) 
where r(X) represents the vector that chooses a particular bit 
position of X, and it is caUed a mask value. 

The role of the Mnear approximate espression is to 
approximately replace the cryptographic algorithm with a linear 
expression and separate it into a part concerning the set of plaintext 
and ciphertext and a part concerning the extended key. That is, in 
the set of plaintext-ciphertext pair, the exclusive ORs between the 
values at particular bit positions of the plaintext and those of the 
ciphertext all take a fixed value, which indicates that it equals the 
exclusive OR of the values at particular bit positions of extended 
keys. This means that the attacker gets information 

(ko, ki, ki5)«r(ko, ki, kjs) (1 bit) 
from information 

(Lo, Ro)T(Lo, Ro)®(Li6, Ri6)T(Li6, Rie). 
At this time, (Lq, Rq) and (Lie, ^le) are the plaintext and the 
ciphertext, and hence they are known. For this reason, if the 
attacker can correctly obtain r(Lo, Rq), r(Li6, Rie) and r(ko, ki, .... 



kis) , then he can obtain (ko, ki, ki5).r(ko, ki, kig) (1 bit). 

In the DES, it is only in the S-box that the nonlinear 
transformation is performed; hence, if only the S-box can be linearly 
represented, the linear approximate expression can easily be 
constructed. Then, assimie that each S-box Si can be linearly 
represented with a probability of psi. The point here is that when 
the input mask value for the S-box is given, its output mask value 
can be predicted with the probabihty of p^i. The reason for this is 
that the S-boxes, which form a nonlinear transformation table, 
provide an extremely uneven distribution of difference mask values 
according to the input mask values. For example, in the S-box S5, 
when the input mask value is "010000," an output mask value 
"1111" is predicted with a probability of 3/16. By combining mask 
values in these S-boxes, a linear approximation can be made in each 
roimd between the input mask value and the output mask value 
with a probability pj, and by concatenating the linear 
approximations in the respective roimds, r(Lo, Ro), r(Li6, Ri^) and 
r(ko, ki, K15) are obtained with the following probability: 

P = 2"-inlpi-l/2l (10) 
Here, the higher the probability P, the easier the ciyptanalysis. 

According to Matsui, he has succeeded in the analysis of the DES 

by this cryptanalysis through utilization of 2"^^ sets of known 
plaintext-ciphertext pairs. 

To compete against the above cryptanalysis techniques, the 
probability P needs only to be reduced to a sufficiently low. 
Accordingly, a wide variety of proposals have been made to lessen 
the probabihty P, and the easiest way to provide increased security 
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in the conventional cryptosystem is to increase the number of 
rounds. For example, a Triple-DES formed by a concatenation of 
three DESs essentially increases the ntimber of roxmds from 16 to 48, 
and it provides a far lower probability P than in the case of the DES. 
5 However, to increase the number of rounds with a view to 

competing against the cryptanalysis techniques described above 
inevitably enlarges the scale of the cryptographic device used and 
increases the amount of data to process as well. For example, if the 
ntimber of roimds is tripled, the workload for encryption will also 

10 increase threefold. That is, since the encryption speed of the present 
DES is about 10 Mbps in the Pentium PC class, the encryption speed 
of the Triple-DES goes down to aroimd 3.5 Mbps. On the other hand, 
networks and computers are becoming increasingly faster year by 
year, and hence there is also a demand for encryption devices that 

15 keep up with such speedups. With conventional cryptographic 

devices, it is extremely difficult, therefore, to simultaneously meet 
the requirements of speedup and security. 

The present invention is intended to obviate the abovesaid 
defects of the prior art and has for its object to provide a 

20 cryptographic device that satisfies the security requirement without 
increasing the nxmiber of rotmds. 

DISCLOSURE OF THE INVENTION 

The present invention is characterized in that a nonlinear 
25 function part, in particular, is provided with: a key-dependent linear 
transformation part which linearly transforms input data of the 
nonlinear function part based on key data stored in a key storage 



part; a splitting part which spHts the output data of the key-depende 
nt linear transformation part to a pluraUty of bits strings; first 
nonlinear transformation parts which nonliaearly transform these 
spUt bit strings, respectively; a first linear transformation part which 
linearly transforms the respective output bits strings of the first 
nonlinear transformation parts in association with each other; second 
nonlinear transformation parts which nonlinearly transform some or 
all of the output bit strings of the first linear transformation part; 
and a combining part which combines the output bit strings of the 
second nonlinear transformation parts into output data of the 
nonlinear function part. 

To provide increased security, the invention is characterized by 
a second linear transformation part which linearly transforms the 
output data of the combining part to the output data of the nonlinear 
function part. 

Furthermore, the invention is characterized in that either one or 
both of the first and second linear transformation parts are key- 
dependent linear transformation parts which linearly transform the 
input data thereto based on key data stored in the key storage part. 

According to the present invention, it is guaranteed that when 
the probability in the S-boxes is p^i ^ pb <1 (where pb is the 
maximimi differential or linear probabiUty in the S-boxes), the 

probability of approximating each round is pj < pb^ (when the input 
difference to the function f is not 0 in the case of the differential 
cryptanalysis, and when the output mask value from the function f 
is not 0 in die case of the linear cryptanalysis). And when the 
function f is bijective (in which case a different input always 
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provides a different output), if the number of rounds of the cipher is 

set at 3m, then the probability of the cipher becomes P < pi^^ < 

Piy"^^. In general, cipher are regarded as being secure against the 

differential and linear cryptanalysis schemes if P < 2"^"*; hence, it is 

5 necessary only to satisfy m >-16/Uog2(Pb)}? ^d if pb < 2""^, it is 

possible to ensure security with a smaller number of rounds than 16 

roimds needed in the DES. The probabihty of security changes for 

each multiple of m rounds. 

The present invention ensures security against the differential 

10 and linear cryptanalysis with a relatively small number of rotinds, 

and hence it permits implementation of a cryptographic device 

which copes with both security and low workload. 

BRIEF DESCRIPTION OF THE DRAWINGS 
15 Fig. 1 is diagram depicting the functional configuration of a 

conventional DES cryptographic device. 

Fig. 2 is a diagram depicting a concrete functional configuration 
of an f-functional calculus part 12 in Fig. 1. 

Fig. 3 is a diagram illustrating the functional configuration of 
20 Embodiment 1 of the present invention. 

Fig. 4 is a diagram showing in detail an example of the 
functional configuration of a nonlinear function part 304 in 
Embodiment 1. 

Fig. 5 is a diagram depicting a concrete example of a key- 
25 dependent linear transformation part 347 in Fig. 4. 

Fig. 6 is a diagram illustrating the functional configuration of 
Embodiment 2 of the present invention. 



Fig. 7A is a diagram showing in detail tiie functional 
configuration of a nonlinear function part 304 in Embodiment 2. 

Fig. 7B is a diagram showing a concrete example of a linear 
transformation part 354 in the nonlinear function part 304. 

Fig. 8 is a diagram illustrating the functional configuration of 
Embodiment 3 of the present invention. 

Fig. 9 is a diagram showing in detail the functional configuration 
of a nonlinear function part 304 in Embodiment 3. 

BEST MODE FOR CARRYING OUT THE INVENTION 
EMBODIMENT 1 

An embodiment of the present invention will be described 
below with reference to the accompanying drawings. 

Fig. 3 depicts the functional configuration for an encryption 
procedure in the ayptographic device according to an embodiment 
of the present invention. The cryptographic device of the present 
invention also spUts input data to two pieces of block data Lq and Rq 
and subjects them to rotmd processing by n cascade-connected 
roimd processing parts 38o to 38n.2 in a sequential order; each 
round processing part 38} (i=0, 1, n-1) is made up of a nonlinear 
function part 304 corresponding to the roxmd function part 12 in Fig. 
1, a linear operation part 305 corresponding to the XOR circuit 13 in 
Fig. 1 and a swapping part 306. 

Input data P, which corresponds to a plaintext, is entered into 
the cryptographic device via an input part 301. The following key 
data is generated in advance by a extended key generation part 321 
on the basis of the data input thereto from a key input part 320 and 
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stored in a key storage part 322. 

{fk; koo, kio, k2o; koi, kn, k2i; ko(n-i), ki(n-i), ko(n-i); ek} 
The input plaintext data P is transformed in a key-dependent initial 
linear transformation part 302 with the extend key fk stored in the 
key storage part 322, thereafter being split in an initial splitting part 
303 to two pieces of block data Lq and Rq. For example, 64-bit data 
is split to two pieces of 32-bit block data Lq and Rq. The block data 
Ro is input to the nonlinear function part 304 of the 0-th round 
processing part 38o, together with the extended key koo, kio and k2o 
stored in the key storage part 322, and in the nonlinear function 
part it is transformed to data Yq. The data Yq and the block data Lq 
are transformed to data Lq* through an operation in the linear 
operation part 305. The data Lq* and the block data Rq are 
subjected to data-position swapping in the swapping part 306 to 
provide Li = Rq and Ri = Lq*; Lj and Ri are fed to the next first 
roimd processing part 38i. 

Thereafter, in an i-th round processing part 38i (i=l, n-1) the 
same processing as described above is repeated for two pieces of 
block data Lj and Rj. That is, in the i-th round processing part 38i 
the data R^, one of the two pieces of block data and Ri, is input 
into the nonlinear function part 304, together with the extended key 
koi, kii and k2i stored in the key storage part 322, and in the 
nonlinear function part 304 it is transformed to data Yj. The data Yj 
and the block data Li are transformed to data Li* by an operation in 
the linear operation part 305. The data Li* and the data Rj are 
swapped in data position in the swapping part 306 to Li+i = Rj and 
Ri+i = Li*- The linear operation part 305 is one that performs, for 
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instance, an exclusive-OR operation. 

Letting n represent tlie repeat count smtable to ensure security 
of the cryptosystem, two pieces of data L„ and R„ are obtained as the 
result of such repeated processing by the round processing parts 3 80 
to 38n.i. These pieces of data L„ and R„ are combined into a single 
piece of block data in a final combining part 307; for example, two 
pieces of 32-bit data L„ and Rn are combined to 64-bit data. Then 
the thus combined data is transformed in a key-dependent final 
linear transformation part 308 using the extended key ek stored in 
the key storage part 322, and output data C is proyided as a 
ciphertext from an output part 309. 

To decrypt, the encryption procedure needs only to be reversed, 
by which the plaintext P can be derived from the ciphertext C. This 
can be done, for example, by inputting ciphertext data in place of the 
input data in Fig. 3 and then inputting the extended key in a 
sequential order reverse to tiiat in Fig. 3, tiiat is, ek, ko(n-i), ki(„.i), 
k2(n-i)» "M koi, kii, k2i, koo, kio, k2i, f^. 

Fig. 4 illustrates the functional configuration of the nonliaear 
function part 304 used in each round processing part 38i. The block 
data Rj to the i-th round processing part 38i constitutes input data to 
the nonlinear function part 304, together with the extended key koi, 
kii and k2i stored in the key storage part 322. The block data Rj is 
linearly transformed to data Rj* in a key-dependent linear 
ti-ansformation part 341 using the extended key koi- The data Rj* is 
splitting, for instance, to four pieces of 8-bit data ino, ini, in2 and 
in a splitting part 342. The four pieces of data in^ ini, in2 and ins 
are nonlinearly transformed to four pieces of data midoo, niidoi, 
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mido2 and midos in nonlinear transformation parts 343, 344, 345 
and 346, respectively, from which they are input to a key-dependen 
t linear transformation part 347. 

The key-dependent linear transformation part 347 is made up 
5 of four processing routes 30o to 3O3 each of which contains at least 
one exclusive OR circuit as depicted in Fig. 5; these processing routes 
are logically combined by those exclusive OR circuits. Each 
processing route performs a linear operation (an exclusive-OR 
operation) of its own data with those of the other processing routes 

10 to generate imiformed pieces of data in the respective processing 
routes; in the example of Fig. 5, they are further linearly processed 
by extended key kij^ That is, the pieces of data midoo? midoi, mido2 
and midos are fed into the processing routes 30o to 3O3, respectively. 
In the processing route 30i the pieces of input data midoo and midoi 

15 are exclusive ORed by an XOR 3 1 1, and in the processing route 3O2 
the pieces of input data mido2 and mido3 are exclusive ORed by an 
XOR 3I2, and the outputs from the XOR 31i and the XOR 3I2 are 
exclusive ORed by an XOR 322- The outputs from the XOR 3 li and 
the XOR 322 are exclusive ORed by an XOR 33i, then the output from 

20 the XOR 33 1 and the input data midoo exclusive ORed by an XOR 
34o, and the output from the XOR 322 and the input data midos are 
exclusive ORed by an XOR 343. Furthermore, the outputs from the 
XORs 34o, 33i, 322 and 343 and extended key kiio, i^ui, ^in and kii3 
are exclusive ORed by XORs 35 0 to 383, from which midio, ^^dn, 

25 midoi and midi3 are output, respectively. That is, the input data 
midoo, i^doi? mido2 and midos to the processing routes 30o to 3O3 
are associated with one another and then undergo linear 
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transformations which are dependent on the key data kno, kin, ^ui 
and kii3, respectively. In short, logical operations given by the 
following logical expressions are performed. 

midio = niidoo©mido2©inido3©kiio 

midii = mido2®mido3©kiii 

midi2 = midoo®niidoi®niido2©niido3©kli2 

niidi3 = nudoo®midoi©niido2©kii3 (11) 
As is evident from these expressions, the output from each 
processing route of the key-dependent Hnear transformation part 34 
contains input data of at least two or more other routes in the form 
of exclusive ORs in this example, and accordingly the output data of 
each route is so tmiformed as to contain two or more components of 
the four pieces of input data. 

These pieces of output data midio, midn, midi2 and midi3 
nonUnearly transformed to corresponding pieces of data outo, outi, 
out2 and outs ^ nonlinear transformation parts 348, 349, 350 and 
351, respectively, and the pieces of data are provided as output data 
from the respective processing routes to a combining part 352, 
wherein they are combined into a single piece of block data Y *. 
That is, for example, four pieces of 8-bit data are combined into one 
piece of 32-bit data. The data Yj* is linearly transformed by 
extended key k2i to data Yi in a key-dependent linear 
transformation part 353; thus, the output data Yj from the nonlinear 
function part 304 is generated. The nonlinear transformation parts 
343 to 346 and 348 to 351 are similar, for instance, to the S-box in 
the DES, and they are each formed, for example, by a ROM whose 
output data differs with the input data thereto. 
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The four nonlinear transformation parts 343 to 346 are 
arranged in parallel and ttieir transformation processes are not 
associated with one another, and hence they can be executed in 
parallel; accordingly, an increase in the processing time by 
5 increasing the number of such nonlinear transformation parts can be 
deal with by the parallel processing thereof. The same is true of the 
nonlinear transformation parts 348 to 351. 

The time necessary for processing in the linear operation part 
305 (Fig. 3) and the key-dependent linear transformation parts 341, 

10 347 and 353 (Fig. 4), which constitute each round processing part 
38i, is appreciably shorter than the time required to perform 
processing of the nonlinear transformation parts 343 to 345 and 348 
to 351 similar to the S-box; therefore, the time necessary for 
encryption processing is substantially in proportion to the nimiber of 

15 S-boxes or nonlinear transformation parts used. However, since the 
key-dependent linear transformation part 347 renders plural pieces 
of input data into uniformed outputs as described previously, it is 
possible to omit one or more of the nonlinear transformation parts 
348 to 351 and input the corresponding pieces of data into the 

20 combining part 352 when it is preknown that the key-dependent 
linear transformation part 347 performs such a particular linear 
transformation as described above with reference to Fig. 5. This can 
be done without diminishing the security against the differential and 
linear cryptanalysis, and the workload for encryption can be 

25 reduced by the number of nonlinear transformation parts thus 
omitted. For example, when the key-dependent linear 
transformation part 347 is such as shown tti Fig. 5, even if the 
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nonlinear transformation parts 349 and 350 are omitted and the 
pieces of data midn and midi2 are fed intact into the combining part 
352, the security against the differential and linear cryptanalysis 
remains xmchanged but the encryption speed increases about 33%. 

5 In other words, when the operation of the key-dependent linear 
transformation part 347 is predetermined, the presence of one or 
more of the nonlinear transformation parts 348 to 351 may 
sometimes has notiiing to do with the security against die 
differential and linear cryptanalysis, in which case they can be 

10 omitted. 

Incidentally, in Fig. 3 the generation of the extended key {fk, 
koo, kio, k2o, koi, kn, ko(„-i), ki(„.i), k2(n-i), ek} by the extended 
key generation part 321 can be done in the same manner as in tiie 
extended key generating part 16 for the DES in Fig. 1. 
15 If the above cryptographic device is designed so that, for 

example, tiie nonlinear transformation parts 343 to 346 and 348 to 

35 1 are each approximated with a probability of Pb = 2'^ by the 
differential and linear cryptanalysis techniques and that each round 
processing part 38i performs the nonlinear transformation twice, 
20 that is, performs in tandem the processing by the transformation 

parts 343 to 346 and the processing by the transformation parts 348 

to 351, each rotmd is approximated with a probability of Pi<2"^^; 
setting the number n of rounds at n = 3m, the round processing of 
the entire crj^tographic device is approximated with a probability 
25 of P< 2"^'^'". For example, if m = 4 (the number of rounds: 12), the 
probability becomes P < 2'^^, which satisfies a security condition P < 
2'^"^ with a smaller number of rovmds than that 16 of the DES, 
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providing a cryptographic device with a siifficiently high level of 
security against the differential and linear cryptanalysis. That is, 
according to the present iavention, the security against cryptanalysis 
can be increased by configuring the round ftmction 12 (Fig. 1) to 

5 perform the nonlinear transformation twice in succession. 

Since the key-dependent initial linear transformation part 302, 
the key-dependent final linear transformation part 308 and the 
key-dependent hnear transformation parts 347 and 353 are linear 
transformation parts that are dependent on extended keys, they 

10 provide siifficient security against other cr3/ptanalysis as well as the 
differential and linear cryptanalysis, ensuring the implementation of 
a cryptographic device that attaches prime importance on security. 

The present invention is not limited specifically to this 
embodiment; for example, if it is desurable to speed up encryption, it 

15 is possible to omit any one or all of these key-dependent initial 
linear transformation part 302, the key-dependent final hnear 
transformation part 308 and the key-dependent linear 
transformation part 353 as in the embodiment described later on. 
In this instance, the security against the differential and linear 

20 cryptanalysis will not be diminished on the one hand, but on the 
other hand the processing speed for encryption can be increased 
corresponding to the ntmiber of operations omitted. But there is a 
fear of providing decreased security against the other cryptanalysis. 
Alternatively, any one or all of the key-dependent initial linear 

25 transformation part 302, the key-dependent final transformation 
part 308 and the key-dependent linear transformation parts 347 
and 353 may be modified to key-independent linear transformation 
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parts. This will not diminish the security against the other 
cryptanalysis as well as the differential and linear cryptanalysis, and 
makes it possible to increase the processing speed for encryption by 
implement optimization. The linear transformation parts each 
5 perform a transposition of swapping bit positions of input data in a 
predetermined relationship, a rotation of the input data by a 
predetermined number of bits, and so forth. The key-dependent 
linear transformation parts each perform a rotation by the number 
of bits corresponding to the extended key, an exclusive OR of the 
10 input data and the extended key, and so on. 

TMRODIMENT 2 

Fig. 6 illustrates an embodiment which omits middle two of the 
second four nonlinear transformation parts 348 to 351 in the 

15 nonlinear function part 304 (Fig. 4) of the first embodiment shown 
in Fig. 3. In this embodiment there are also omitted the key- 
dependent initial linear transformation part 302 and the key- 
dependent final linear transformation part 308. 

The input data P equivalent to a plaintext is input into the 

20 cryptographic device via the input part 301. The input data P is 

split to two pieces of block data Lq and Rq in the initial splitting part 
303. The block data Rq is input to the nonlinear function part 304 of 
the 0-th roimd processing part 38o, together with the extended key 
koo and k2o stored in the key storage part 322, wherein it is 

25 transformed to data Yq through transformation processing. The data 
Yq and the data Lq are transformed to data Lq* by an operation in 
the linear operation part 305. The data Lq* and the data Rq are 
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subjected to data-position swapping in the swapping part 306 to 
provide Li = Rq and Ri = Lq*. Thereafter, in the i-th round 
processing part 38i (i=l, n-1) the same processing as described 
above is repeated for the two pieces of data Li and Ri. That is, the 

5 data Ri, one of the two pieces of data Li and Ri, is input into the 

nonlinear function part 304, together with the extended key koi and 
k2i stored in the key storage part 322, and in the nonlinear function 
part 304 it is transformed to data Yj. The data Yi and the data Li are 
transformed to data Li* by an operation in the linear operation part 

10 305. The data Li* and the data Ri are swapped in data position in 
the swapping part 306 for transformation to Li+i = Ri and Ri^.i = Li*. 

Letting n represent tiie repeat count suitable to ensure security 
of the cryptosystem, two pieces of data Ln and R^ are obtained by 
such n repeated roimds of processing. These pieces of data Ln and 

15 Rn are combined in the final combining part 307, and the combined 
output is provided to the output part 309, from which the output 
data C is output as the ciphertext. 

To decrypt, the encryption procedure needs only to be reversed, 
by which the plaintext P can be derived from the ciphertext C. 

20 Fig. 7A illustrates the functional configuration of the nonlinear 

function part 304 of the i-th round processing part 38i in the Fig. 6. 
The data Ri from the preceding roimd processing part constitutes 
input data to the nonlinear function part 304, together with the 
extended key koi and k2i stored in the key storage part 322. The 

25 data Rj is Unearly transformed to data Ri* in the key-dependent 

linear transformation part 341 using the extended key koi- Then the 
data Ri* is split to foiu: pieces of data ino, nii, in2 and ins ^ 
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splitting part 342. The four pieces of data ioo, ini, in2 and ins are 
nonlinearly transformed to four pieces of data midoo, iiiidoi, midoz 
and midos in the nonlinear transformation parts 343, 344, 345 and 
346, respectively, from which they are input to a linear 
transformation part 354. In the liaear transformation part 354 the 
four pieces of input data are transformed so that they are mutually 
associated between the four processing routes 30o to 3O3 as depicted 
in Fig. 7B. This is the same example as in the case of omitting the 
logical operation with the extended key in Fig. 5 and can be given by 
the following expressions. 

midio = midoo®iiudo2®nudo3 

midii = mido2®n^do3 

midi2 = midoo®inidoi©mido2®niido3 

niidi3 = midoo®niidoi©imdo2 (12) 

By this linear transformation, uniformed data midio, midn, 
midi2 and midi3 are generated, and two pieces of data midio and 
midi3 are nonlinearly transformed to data outo and out3 in the 
nonlinear transformation parts 348 and 351, respectively, after 
which the four pieces of data outo, niidn, midi2 and out3 are 
combined into a single piece of data Yj* in the combining part 352. 
Finally, the data Yj* is linearly transformed to the data Yj in the key- 
dependent linear transformation part 353 using the extended key 
k2i, by which the output data Yj from the nonlinear function part 
304 is generated. 

The nonlinear transformation parts 343 to 346 are arranged in 
parallel and their transformation processes are not associated with 
one another, and hence they can be executed in parallel. The same 
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goes for the nonlinear transformation parts 348 and 351. In this 
embodiment, since the number of second nonlinear transformations 
in each nonlinear function part 304 is reduced to the outer two (348 
and 351) alone, the workload for encryption of decryption can be 

5 decreased accordingly. 

Incidentally, the extended key kj is data transformed ia the 
extended key generation part 321 from the secret key Key input 
into the cr5^tographic device via the key input part 320 and stored 
in the key storage part 322. 

10 In the case of the above cryptographic device, for example, if 

the nonlinear transformation parts 343 to 346, 348 and 351 are 
designed to provide an approximate representation with the 

probability of pb = 2'^ against the differential and linear 
cryptanalysis, each round processing part can provide an 

1 5 approximate representation with the same probability of pj ^ 2"^^ as 
in Embodiment 1; setting the number n of roimds at n = 3m, the 
cryptographic device provides an approximate representation with 
the probability of P 2"^^™ as a whole. For example, if m = 4 (the 
number of rotmds: 12), the probabihty becomes P ^ 2"^^, ensuring a 

20 sufificientiy high level of security against the differential and linear 
cryptanalysis. 

Moreover, the presence of the key-dependent linear 
transformation part 353 provides a margin of security against other 
cryptanalysis than the differential and linear cryptanalysis, and the 

25 simplified configuration as compared with that of Embodiment 1 
reduces the workload. That is, the cryptographic device of this 
embodiment places importance on the balance between security and 
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reduced workload. 
EMBODIMENT 3 

Fig. 8 illustrates an embodiment which omits the key-dependen 
5 t linear transformation part 353 in the nonlinear function part 304 
of the second embodiment depicted in Fig. 6. The input data P 
eqtiivalent to a plaintext is input into the cryptographic device via 
the input part 301. The input data P is split to two pieces of block 
data Lq and Rq in the initial splitting part 303. The block data Ro is 

1 0 input to the nonlinear function part 304 of the 0-th round 

processing part 38o, together with extended key ko stored in the key 
storage part 322, wherein it is transformed to data Yq through 
transformation processing. The data Yq and the data Lq are 
transformed to data Lq* by an operation in the linear operation part 

15 305. The data Lq* and the data Ro are subjected to data-position 

swapping in the swapping part 306 for transformation to Li = Rq and 
Ri = Lq*. Thereafter, in the i-th roimd processing part 38i the same 
processing as described above is repeated for the two pieces of data 
Li and Ri. That is, the data Ri, one of the two pieces of data Li and Ri, 

20 is input into the nonlinear function part 304, together with extended 
key ki stored in the key storage part 322, and in the nonlinear 
function part 304 it is transformed to data Yi. The data Yi and the 
data Li are transformed to data Lj* by an operation in the linear 
operation part 305. The data Li* and the data Ri are swapped in 

25 data position in the swapping part 306 for transformation to Li+i = 
Ri and Ri+i = Li*, and two pieces of block data Li+i and Ri+i are 
output. 
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Letting n represent the repeat count suitable to ensure security 
of the cryptosystem, two pieces of data and Rn are obtained by 
such n repeated rounds of processing. These pieces of data Lq and 
Rn are combined in the final combining part 307, and the combined 
5 output is provided to the output part 309, from which the output 
data C is output as the ciphertext. 

The ciphertext C can be deciphered to the plaintext P by 
following the encryption procedtire in reverse. 

Fig. 9 illustrates the functional configuration of the nonlinear 
1 0 function part 304 in the Fig. 8. The data Ri to the nonlinear function 
part 304 is fed to the key-dependent linear transformation part 341, 
together with the extended key kj stored in the key storage part 
322. The data Ri is linearly transformed to data Ri* in the key- 
dependent Unear transformation part 341 using the extended key ki. 
15 Then the data Ri* is split to four pieces of data uiq, ini, in2 and ins in 
the splitting part 342. The foiu* pieces of data ino, hii, in2 and ins 
are nonlinearly transformed to four pieces of data midoo, midoi, 
mido2 and midos in the nonlinear transformation parts 343, 344, 345 
and 346, respectively, from which they are input to the linear 
20 transformation part 354. The linear transformation part 354 
Mnearly transforms them to the following pieces of data midio, 
midii, midi2 and midis, for example, in the same manner as 
described above with reference to Fig. 7B in Embodiment 2. 
midio = midoo®niido2®mido3 
25 midii = mido2®niido3 

midi2 = midoo®midoi©mido2®niido3 

midi3 = midoo®niidoi©mido2 (13) 
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Then the two pieces of data midio and midis nonlinearly 
transformed to data outo and out 3 in the nonlinear transformation 
parts 348 and 351, respectively, after which the four pieces of data 
outo, midii, midi2 and outs combined into a single piece of data 

5 in the combining part 352, by which the output data Yi from the 
nonlinear function part 304 is generated. 

The nonlinear transformation parts 343 to 346 are arranged in 
parallel and their transformation processes are not associated with 
one another, and hence they can be executed in parallel. The same 

10 goes for the nonlinear transformation parts 348 and 351. 

Incidentally, the extended key is data transformed in the 
extended key generation part 321 from the secret key Key input 
into the cryptographic device via the key input part 320 and stored 
in the key storage part 322. 

1 5 In the case of the above cryptographic device, for example, if 

the nonlinear transformation parts 343 to 346, 348 and 351 are 
designed to provide an approximate representation with the 

probability of pb = 2'^ against the differential and linear 
cryptanalysis, each roimd processing part can provide an 

20 approximate representation with the probability of pi <. 2"^^; setting 
the number n of roimds at n = 3m, the cryptographic device 
provides an approximate representation with the probability of P < 
2-24m ^ whole. For example, if m = 4 (the number of rounds: 12), 
the probability becomes P < 2'^^, ensuring a sufficiently high level 

25 of security against the differential and linear cryptanalysis. 

Moreover, since the cryptographic device of this embodiment 
has a configuration that includes the minimimi number of parts 
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required to provide a sufficient level of security against the 
differential and linear cryptanalysis, the workload is reduced and 
the encryption or decryption speed is improved accordingly. 

In the above, the splitting part 342 in the nonlinear function 
5 part 304 needs not always to split the input data into four but may 
also split it to an arbitrary nimiber of pieces. In the case splitting 
the data into four, the number of second nonlinear transformation 
parts may be reduced to only two as depicted in Figs. 7A and 9. 
In the following table there are shown, in comparison with the 

1 0 case of the DES of Figs. 1 and 2, the security level per round, the 
ntimber of roimds satisfying the security requirement and the 
workload (the number of steps) necessary therefor in the case of 
using six nonlinear transformation parts (343 to 346, 348, 351) in 
the nonlinear function part 304 (a roimd function) depicted in the 

15 second and third embodiments described above. In the comparison, 
the embodiments of the present invention used a total of 32 bits for 
the data to the nonlinear transformation parts 343 to 346 which 
correspond to the S-boxes of the DES, and hence the data to each 
nonlinear transformation part was 8-bit; therefore, the size of each 

20 S-box was made 8-bit and consequently, the number of S-boxes was 
four. 



25 
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Comparative Table 





No. of S- 
boxes per 
round 


Security 
level per 
round 


Required 
No. of 
rotinds 


No. of steps 


DES 


4 


2-6 


17 


68 


This 
invention 


6 


2-12 


9 


54 



As will be seen from this table, the number of S-boxes (the 
nimiber of nonlinear transformation parts) per round in the present 
5 invention is larger than in the DES, but the security level per round 
in the present invention is twice that of the DES. On this account, the 
number of roxmds required to meet the secxxrity requirement is 
smaller than in the case of DES, and the workload (the number of 
steps) necessary for providing the security is also smaller. 

10 

EFFECT OF THE INVENTION 

As described above in detail, according to the present invention, 
the input data is split to plural pieces of data in the nonlinear 
function part, then these pieces of data are nonlinearly transformed 
15 and linearly transformed in association with each other, and at lease 
one part of such linearly transformed data is nonlinearly 
transformed, by which it is possible to provide a highly secure 
cryptographic device for concealing data in data communication or 
storage. 
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WHAT IS CLAIMED IS 

1, A cryptographic device which encrypts input data by 
sequentially processing it by a plurality of round processing which 
nonlinearly transforms it using extended key, comprising: 

an initial splitting part which splits the input data to two pieces 
of block data; 

a key storage part for storing extended key; 

a plurahty of cascade-connected round processing parts which 
are supplied with said two pieces of block data and sequentially 
process them using said extended key; and 

a final combining part which combines two pieces of block data 
output from the last round of said plurality of cascade-connected 
round processing parts into a single piece of data and outputs it; 

wherein each of said plurality of round processing part 
comprises: 

a nonlinear function part which transforms one of two pieces of 
block data input thereto from the preceding stage, depending on 
extended key stored in said key storage part; 

a linear operation part which linearly operates the output data 
from said nonlinear function part and the other of said two pieces of 
block data; and 

a swapping part which swaps the output data from said linear 
operation part and the input block data to said nonlinear function 
part and provides the two pieces of swapped data as two pieces of 
input block data to said round processing part of the next round; and 

wherein said nonlinear function part comprises: 
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a key-dependent linear transformation part which linearly 
transforms input data based on extended key stored in said key 
storage part to thereby generate transformed data; 

a splitting part which splits the transformed data from said 
key-dependent linear transformation part to a pliirality of bit 
strings; 

a plurahty of first nonlinear transformation parts which 
nonlinearly transform these bit strings, respectively, and output 
transformed data; 

a first linear transformation part which linearly transforms the 
transformed data from said pluraUty of first nonlinear 
transformation parts in association with each other and outputs a 
pluraUty of pieces of uniformed data to a plurahty of routes, 
respectively; 

a second nonlinear transformation part provided in at least one 
of said pltiraUty of routes, for nonlinearly transforming said 
uniformed data from the corresponding one of said first linear 
transformation parts, and for outputting the transformed data as 
data of that route; and 

a final combining part which combines data from said plurahty 
of routes into output data of said nonlinear function part. 

2. The cryptographic device of claim 1, wherein said first linear 
transformation part comprises a key-dependent linear operation 
part which linearly transforms said pluraUty of pieces of uniformed 
data based on extended key stored m said key storage part and 
outputs the plurality of transformed data as data of said pluraUty of 
routes. 



3. The cryptographic device of claim 1 or 2, wherein there is 
provided a second linear transformation part which linearly 
transforms the output data from said combining part to provide the 
output data of said nonlinear function part. 

4. The cryptographic device of claim 3, wherein said second 
linear transformation part is a linear transformation part which 
performs a linear transformation based on extended key stored in 
said key storage part. 

5- The cryptographic device of claim 4, wherein said first linear 
transformation part comprises at least one exclusive OR circuit 
provided in each of said plurahty of routes, for outputting said 
uniformed data to said each route by an exclusive-OR operation of 
data of said each route and data of other routes, 

6. The cryptographic device of any one of claims 1 through 5, 
wherein there is provided an initial linear transformation part which 
linearly transforms said input data and supplies it to said initial 
splitting part. 

7. The cryptographic device of claim 6, wherein said initial 
linear transformation part is a transformation part which performs a 
linear transformation based on extended key stored in said key 
storage part. 

8. The cryptographic device of any one of claims 1 through 7, 
wherein there is provided a final linear transformation part which 
linearly transforms the output data of said final combining part to 
provide it as the output of said cryptographic device. 

9. The cryptographic device of claim 8, wherein said final liQear 
transformation part is a transformation part which performs a linear 
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transformation based on extended key stored in said key storage 
part. 

10. The cryptographic device of any one of claims 1 through 9, 
wherein said plurality of routes are first, second, third and fourth 
routes arranged in this order. 

11. The cryptographic device of claim 10, wherein said second 
nonlinear transformation part is provided in each of said foxu* routes. 

12. The cryptographic device of claim 10, wherein said second 
nonlinear transformation part is provided in each of said first and 
fourth routes. 

13. The cryptographic device of claim 12, wherein said first 
linear transformation part comprises: 

a first exclusive OR circuit provided in said second route, for 
carrying out the exclusive-OR between data of said first route and 
data of said second route; 

a second exclusive-OR circuit provided in said third route, for 
carrjdng out the exclusive OR between data of said fourth route and 
data of said third route; 

a third exclusive-OR circuit provided in said third route, for 
carrying out the exclusive OR between the output of said second 
exclusive-OR circuit and the output of said first exclusive-OR circuit; 

a fourth exclusive-OR circuit provided in said second route, for 
carrying out the exclusive OR between the output of said first 
exclusive-OR circuit and the output of said third exclusive-OR circuit; 

a fifth exclusive-OR circuit provided in said first route, for 
carrying out the exclusive OR between the data of said first route 
and the output of said fourth exclusive-OR circuit; and 



a sixth exclusive-OR circuit provided in said fourth route, for 
carrying out the exclusive OR between the data of said fourth route 
and the output of said third exclusive-OR circuit. 



-33- 



ABSTRACT OF THE DISCLOSURE 

In a secret-key cryptographic device, there are cascade- 
connected a pliirality of round processing parts and the round 
processing part of each i-th round is supplied with input data Lj and 
Rj, nonHnearly transforms the input data Ri in a nonlinear function 
part on the basis of extended key, then provides the exclusive OR 
between the nonlinearly transformed output and the input data 
as data I^+i for input into the next round and outputs the input data 
Ri as data Lj+i for input into the next round. The nonlinear function 
part of each round comprises: a key-dependent linear 
transformation part which performs a key-dependent linear 
transformation of the input Ri; a splitting part which splits the 
linearly transformed output to four pieces of data uiq, ini, in2 and 
in3; first nonlinear transformation parts which nonlinearly transform 
the four split pieces of data and output nonlinearly transformed data 
midoo, midoi, mido2 and midos, respectively; a key-dependent Unear 
transformation part which associates these transformed outputs 
with each other and, at the same time, linearly transforms them 
based on extended key to output data midio, midn, midi2 and 
midi3; second nonlinear transformation parts which nonlinearly 
transform these transformed outputs, respectively, and output data 
outo, outi, out2 and outs; and a combining part which combines these 
transformed outputs into output data Y. 
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